Linux Kernel TCP Forward Allocation Overflow Vulnerability

A vulnerability in the Linux kernel's TCP implementation can lead to an overflow in the sk->sk_forward_alloc variable. This issue arises from a flaw in how the available space in a socket buffer (skb) is calculated. When data is sent and an skb is present at the end of the write queue, the kernel tries to add the new data to that skb. However, the calculation of available space is incorrect due to a signedness issue. The size_goal variable, which is signed, is converted to an unsigned int for the calculation, leading to a scenario where copy, a ssize_t variable, can hold a large positive value. This can cause sk->sk_forward_alloc to overflow and become negative, potentially leading to memory allocation issues. The vulnerability can be reproduced using the TCP_REPAIR feature, but it may also occur in normal operation.

Impact

Exploitation of this vulnerability causes the sk_forward_alloc variable to overflow, wrapping around to a negative value. This can disrupt memory allocation processes, as further requests may be based on the incorrect negative value, potentially leading to memory corruption or other unintended behaviors.

Reproduction

The vulnerability can be reproduced by sending data over a TCP connection while an skb is at the tail of the write queue. The TCP_REPAIR feature can be used to create this condition reliably. Alternatively, the tcp_bound_to_half_wnd() function can reduce the size_goal to a small value, causing the sk->sk_forward_alloc to be set close to INT_MAX. Subsequent memory allocation requests would then cause the sk_forward_alloc value to wrap around and become negative.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux kernel stable tree.